Source: The Red Canary Blog: Information Security Insights

Author: Sam Straka

URL: https://redcanary.com/blog/security-operations/conditional-access-cisco-duo/

ONE SENTENCE SUMMARY:

This blog compares Microsoft’s Entra ID Conditional Access and Cisco’s Duo Adaptive Access Policies, highlighting their similarities, differences, and integration possibilities.

MAIN POINTS:

1. Duo primarily provides MFA layered over existing identity solutions, unlike full IAM platforms like Microsoft.
2. Duo policies can be globally applied or targeted per application/user group, similar to Entra ID.
3. Duo enforces MFA by default, with conditional bypass options for trusted scenarios.
4. Device compliance checks in Duo use certificates or health apps, comparable to Entra ID Intune integration.
5. Duo’s user interface for granular device policy rules is user-friendly and intuitive.
6. Duo offers geolocation and trusted network conditions similar to Entra ID’s named locations.
7. Duo introduced Risk-Based Authentication (RBA) in 2023, focusing on anomalies during MFA steps.
8. Duo doesn’t directly block legacy authentication, relying instead on primary authentication systems.
9. Duo excels at enforcing device health and compliance checks for sensitive resource access.
10. Duo integrates as a third-party MFA provider with Entra ID Conditional Access via custom controls.

TAKEAWAYS:

1. Duo is ideal for organizations looking primarily for strong MFA and device health checks.
2. Microsoft Entra ID offers deeper integration with device management and broader risk evaluation signals.
3. Duo’s RBA effectively addresses MFA fatigue and anomalous sign-in behaviors.
4. Combining Duo with Entra ID provides comprehensive conditional access coverage but introduces complexity.
5. Advanced conditional access features in both solutions require higher-tier licensing plans.